Eyemart Express Data Breach Class Action Lawsuit, What Happened, Who Is Affected, and What to Do Now
A new class action lawsuit alleges Eyemart Express failed to properly secure and safeguard the personally identifiable information and protected health information of thousands of individuals after the Payouts King ransomware group allegedly exfiltrated 435 GB of data around March 10, 2026. The complaint was filed April 30, 2026 in Texas federal court — and as of that date, Eyemart Express had still not sent individual breach notifications to most affected patients and customers. No settlement exists yet. This case is at its earliest stage.
Eyemart Express Data Breach Lawsuit Quick Facts
| Field | Detail |
| Case Name | Lewis v. Eyemart Express LLC |
| Court | U.S. District Court, Northern District of Texas |
| Filed | April 30, 2026 |
| Plaintiff | Lisa Lewis |
| Defendant | Eyemart Express LLC — Farmers Branch, Texas |
| Breach Date | Around March 10–11, 2026 |
| Threat Actor | Payouts King ransomware group |
| Data Stolen | ~435 GB |
| Reported to Texas AG | April 17, 2026 |
| Individual Notices Sent | Not yet sent as of April 30, 2026 filing date |
| Laws Alleged Violated | HIPAA, FTC data security guidelines, negligence, state consumer protection law |
| Class Sought | Nationwide — all U.S. patients and customers affected |
| Current Stage | Early litigation — no scheduling order, no response from Eyemart Express yet |
| Last Updated | May 21, 2026 |
What Is the Eyemart Express Data Breach Lawsuit About?
Plaintiff Lisa Lewis claims Eyemart Express was negligent in securing and safeguarding information, failing to monitor its networks and implement adequate data security practices, allegedly leaving consumers’ private information vulnerable to attack.
Here is what the timeline looks like. On March 10, 2026, a cybersecurity monitoring platform identified a dark web post by a threat actor known as “Payouts King” claiming responsibility for the breach. Eyemart Express began notifying affected individuals on April 17, 2026 that their data had been accessed on March 11, 2026. That is a 37-day gap between the breach and the first disclosures — and the class action complaint was filed just 13 days after that, on April 30.
According to a report submitted to the Texas Attorney General’s Office, the Eyemart Express data breach compromised names, addresses, Social Security numbers, driver’s license numbers, medical information, health insurance information, and birth dates. As of April 17, 2026, when the report was posted on the Texas AG website, the company had not yet notified affected individuals.
For patients of an optical retailer, the nature of the stolen data matters. Eyemart Express stores not just contact and identification information — it holds the kind of protected health information (PHI) that comes with vision exams: diagnoses, prescriptions, insurance records, and treatment histories. The class action lawsuit claims Eyemart Express failed to comply with the Health Insurance Portability and Accountability Act (HIPAA) and Federal Trade Commission guidelines, which mandate reasonable data security measures to protect sensitive information.
Lewis claims she and other class members face a heightened risk of fraud and identity theft, including medical identity theft, for years to come. Medical identity theft — where stolen health information is used to fraudulently bill insurers or obtain prescriptions — is particularly damaging because it can take years to detect and correct.
Eyemart Express operates more than 250 stores across more than 40 states and manages multiple brands including Eyewear Express, Vision4Less, and Visionmart Express. The total number of individuals affected has not been publicly disclosed by the company. This kind of identity theft lawsuit against a healthcare-adjacent retailer follows a well-documented pattern. Healthcare data breaches at optical and vision care providers have produced significant settlements — the Nucor data breach settlement and the Fidelity data breach settlement both arose from similar failures to protect sensitive personally identifiable information.
Related article: Roblox Child Labor Class Action Lawsuit Accuses Platform of Exploiting Minor Developers Are You Affected?
Are You Part of the Eyemart Express Class Action?
The lawsuit seeks to represent everyone in the United States whose personal information was compromised in this breach.
You may be part of this class if:
- You are a current or former patient or customer of Eyemart Express, Eyewear Express, Vision4Less, or Visionmart Express
- Your personal or health information was stored in Eyemart Express systems at or before the time of the March 2026 breach
- You received a breach notification letter or email from Eyemart Express after April 17, 2026
- You believe your information may have been accessed even if you have not yet received a notice
You are likely NOT included if:
- You have never been a patient or customer at any Eyemart Express brand location
- You are an officer or director of Eyemart Express LLC
- You timely opt out of the class if and when it is certified by the court
The total number of individuals affected has not been publicly disclosed. If you visited any Eyemart Express brand store for an eye exam or purchased eyewear and provided personal or insurance information, your data may have been in the affected systems. You do not need to have received a notice letter to potentially be part of the class.
What Are Eyemart Express Plaintiffs Seeking?
No money is available right now. No claim form exists. The lawsuit is at its earliest stage and Eyemart Express has not yet filed a response. Plaintiffs are asking the court for:
- Compensatory damages for the harm caused by the data breach, including the elevated risk of identity theft and medical identity fraud
- Restitution for the value of the privacy and data security protections Eyemart Express failed to provide
- Injunctive relief — a court order requiring Eyemart Express to implement industry-standard cybersecurity measures going forward
- Class certification to allow all affected U.S. patients and customers to be represented collectively
The complaint invokes negligence, violations of HIPAA and FTC data security guidelines, and state consumer protection law. These are the same legal theories that have driven multi-million dollar settlements in comparable eye care data breach cases — including the $5 million EyeMed Vision Care settlement and the $3 million 20/20 Eye Care Network settlement.
What Should You Do Right Now If You Were Affected?
You do not need to take any legal action yet. But there are concrete steps you should take now, regardless of whether the case eventually settles.
- Watch your mail and email for a breach notification letter from Eyemart Express. Save it. The letter is important documentation if the case moves toward settlement.
- Place a fraud alert or credit freeze on your credit reports at all three bureaus — Equifax, Experian, and TransUnion — at annualcreditreport.com. This is free and takes minutes.
- Review your health insurance statements for any services you did not receive. Medical identity theft can result in fraudulent claims being filed in your name.
- Monitor your financial accounts for unauthorized activity — Social Security numbers and driver’s license numbers in the wrong hands can be used to open new credit lines.
- Save any documentation connecting you to Eyemart Express — appointment records, receipts, emails, insurance EOBs — in a folder. This will matter if a claims process opens later.
- Consult a data privacy attorney if you want to explore individual legal options or have already experienced identity theft or fraud you believe is linked to this breach.
Eyemart Express Data Breach Lawsuit Timeline
| Milestone | Date |
| Payouts King claims breach on dark web | March 10, 2026 |
| Breach confirmed to have occurred | March 11, 2026 |
| Eyemart Express reports breach to Texas AG | April 17, 2026 |
| Eyemart Express begins individual notifications | April 17, 2026 |
| Class action complaint filed (Lewis v. Eyemart Express) | April 30, 2026 |
| Defendant response due | TBD — not yet filed |
| Class certification motion | TBD — pending early litigation |
| Possible settlement or trial | TBD — no timeline established |
Frequently Asked Questions
Is there a class action lawsuit against Eyemart Express?
Yes. Lewis v. Eyemart Express LLC was filed April 30, 2026 in the U.S. District Court for the Northern District of Texas. It alleges Eyemart Express failed to implement adequate cybersecurity protections, allowing the Payouts King ransomware group to steal approximately 435 GB of sensitive patient and customer data.
Do I need to do anything right now to be included in the lawsuit?
No action is required yet. The class has not been certified. Save your breach notice if you received one, take steps to protect your credit and identity, and monitor AllAboutLawyer.com and the court docket for updates as the case develops.
What personal information was exposed in the Eyemart Express breach?
The confirmed exposed data includes names, addresses, Social Security numbers, driver’s license numbers, medical information, health insurance information, and birth dates. Eyemart Express has not disclosed how many individuals were affected.
When will a settlement be reached in the Eyemart Express case?
TBD. The complaint was just filed in April 2026. Data breach class actions at companies of this size typically take one to two years to reach settlement, depending on discovery and litigation activity. AllAboutLawyer.com will publish a dedicated settlement article the moment one is announced.
Why haven’t I received a notice letter yet?
As of the April 30, 2026 filing date, the lawsuit noted Eyemart Express had yet to provide notice of the data breach to all affected individuals, leaving many class members unaware their private information may have been compromised. Notifications are still being sent — if you were a patient or customer at any Eyemart Express brand, check your mail carefully over the coming weeks.
Can I file my own lawsuit against Eyemart Express?
You can consult a data privacy attorney about pursuing an individual claim, particularly if you have already experienced concrete harm — fraudulent charges, medical identity theft, or similar losses — that you believe are connected to this breach. If you stay in the class action, you will be bound by any eventual settlement and give up the right to sue separately.
How will I know if the Eyemart Express case settles?
AllAboutLawyer.com will cover any settlement announcement as soon as it becomes public. You can also track the docket directly through PACER at pacer.gov using the case name Lewis v. Eyemart Express LLC, filed April 30, 2026 in the Northern District of Texas.
Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against the filed complaint in Lewis v. Eyemart Express LLC, the Texas Attorney General’s breach disclosure, and court records of the U.S. District Court for the Northern District of Texas on May 21, 2026. Last Updated: May 21, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah